Dorkbot: Life after disruption

A year ago on 2nd December 2015, a collaboration between major cybersecurity firms, law enforcement and software providers – including ESET and Microsoft – successfully managed to disrupt Dorkbot, a malware family that had been infiltrating systems worldwide for over four years.

Since its detection in April 2011, Dorkbot had caused numerous problems for businesses and individuals alike, and was described by ESET as “the most used malware variant” in its 2012 paper Dorkbot: Hunting Zombies in Latin America.

Worming its way into computers in over 190 different countries – and proving particularly prevalent in Latin America, where 54% of infections were identified – Dorkbot has been used both to obtain financial and sensitive information, and take down company servers. 

Surreptitious infiltration

The spread of this, and other similar malware, was often achieved by cybercriminals who – having purchased a so-called “crime kit” – targeted users by sending genuine-looking emails, infiltrating social networks and instant messaging services and by using removable USB drives.

“You might click on a link and think no more about it,” explains Zia Rehman, a cybersecurity expert from Perspective Risk. “But it would install itself on your computer, often masquerading as other programs your computer needs, and then monitor your traffic in the background.”

“It could also include your system in a [worldwide botnet],” he goes on to explain. “A malicious [attacker] might then use all the connections simultaneously to connect to Facebook or Ebay, for example, and your system is actively part of these attacks.”

Skilled in subterfuge

Lurking in the background of many computers – and often undetected – Dorkbot was able to install code on infected computers, steal passwords and connect to an IRC (Internet Relay Chat) server, which would then receive commands to download additional malware.

Worryingly, Dorkbot was also able to disconnect users from virus module updates, meaning that, despite providers identifying the threat and acting accordingly, users remained unaware that their system was infected.

Readily available to criminals, the malware was used to target sites including AOL, eBay, Facebook, Netflix and PayPal, amongst others.

Disrupting Dorkbot

This is why its disruption, ‘an early Christmas present’, was welcome. Information sharing between organizations about Dorkbot’s behavior meant that expertise from around the globe could be pulled together in order to disrupt what was becoming an enormous threat.

And it was tremendously successful – Dorkbot’s grip on worldwide systems has been loosened. However, other, similar forms of constantly evolving malware still pose an enormous threat to worldwide cybersecurity.

Evolution of threats

“This year, for example, the Mirai botnet, based on thousands of compromised ‘Internet of Things’ devices from televisions to security cameras, was used to knock crucial internet services offline,” explained Joe Hancock, cybersecurity lead at Mishcon de Reya LLP.

“This shows that whilst the specific attacks from Dorkbot were eventually prevented by law enforcement, the overall approach of botnets and those behind them will innovate and change tactics. Law enforcement and the cybersecurity community needs to increase its own innovation to deal with these changes.”

Importance of education

As Rehman noted, the key to minimizing risk lies in educating individuals and organizations – particularly that of clicking on an attachment or link from an unknown source.

The more people know, the better equipped they are at spotting threats, and ensuring that they remain better protected. This responsibility also falls on security providers, as ESET noted in 2012:

“We need to teach users what we do and why, and how we are protecting them against this kind of threat. In the industry we understand the importance of updates and concern about the content we see from our daily activities, but we need to talk to end-users in their own language.”

Safeguarding the world

Despite the success of the move to disrupt Dorkbot, malware remains an ever-evolving threat, both to business and to worldwide security. Dorkbot is indicative of this – it’s an ‘old’ type of malware, but one that is still active and capable of reinventing itself.

It seems therefore that the need for effective cybersecurity to guard against ever-emerging threats, as well as those active in the digital space, is more important than ever.

Author , ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.